acceleration of statistical detection of zero-day malware in the memory dump using cuda-enabled gpu...
TRANSCRIPT
Acceleration of Statistical Detection
of
Zero-Day Malware in the Memory
Dump Using CUDA-Enabled GPU
HardwareIgor Korkin, Ph.D. Iwan Nesterow
Independent Researchers2016
Agenda
1. Motivation
2. Analysis of drawbacks of drivers detection
3. HighStem prototype
4. Drivers detection in the memory by separating code from data
5. GPU & CPU powered dump analysis
5-year cyber espionage attack
69 countries were attacked
Sensitive data were collected from hundreds of victims*https://securelist.com/blog/incidents/57647/the-red-october-campaign/
Well-targeted Well-prepared
― Uses 0-day exploits
― Contains fake digital certificates
― Applies anti-forensics tricks
Modern malware in modern world
Havex malware
+20% rise of incidents
Detection becomes too time-consuming
BlackEnergy trojan
BlackEnergy used fake digital certificates
(on the right hand side) and also notice how the expiration date of the certificate
is set to 2040Certificate from the legal file
Certificate from the
BlackEnergy trojan
http://malware-unplugged.blogspot.ru/2016/02/blackout-memory-analysis-of-blackenergy.html
Inside modern malware & its detection
driverdropper
exploitPC was OK
AVs issue updateMalware is deleted
PC is OK again
infection phase
Hackers improve malware
Warn users early
Cross-view drivers detection
# Drivers list made by Example of the lists content Vulnerable
1 A built-in tool, e.g.ZwQuerySystemInformation yes
2 An expert Hope not
How to get the 2nd list of drivers?
• Match the contents of two lists of drivers:
A B C, ,
1 , , ,2 3 4
Warn about a suspicious
driver
Original memory After a new ‘driver C’ is loaded
Using updates in the memory content as a source for drivers detection
Driver A Driver B Driver CDriver A Driver B
Ways to detect:o linkso signatureso statistics
Two updates:• new structures
• new file driver
Classification of drivers detection
The ways to detect drivers
Using drivers structures
Using the content of the drivers files
Classification of drivers detection
The ways to detect drivers
Using drivers structures
Using the content of the drivers files
Based on the links between structures
Signature-based scanning of drivers structures
Classification of drivers detection
The ways to detect drivers
Using drivers structures
Using the content of the drivers files
Based on the links between structures
Signature-based scanning of drivers structures
Signature-based detection
Statistical-based detection
50 80100
8050 10
A.sys B.sys C.sys
Get a drivers list using links Overcome detection by unlinking
Detect drivers using drivers listsDrivers list names Name of structure
PsLoadedModuleList KLDR_DATA_TABLE_ENTRY ObjectDirectory DRIVER_OBJECT Service record list by SCM SERVICE_RECORD Threads from ‘System’ ETHREAD Recently unloaded drivers UNLOADED_DRIVERS
50 80100
5080 10
Get a list using structs signatures Overwrite fields to hide structure
Apply byte-to-byte scanning usingstructures signatures to detect drivers
Type of structures signature Examples of signatures and structures
Pool-tagby ExAllocatePoolWithTag
KLDR_DATA_TABLE_ENTRY DRIVER_OBJECT SERVICE_RECORD
Bytes fragments(fields-based signatures)
50 80100
5080 10
MmLd MmLd MmLd
B8
04
B8
04
B8
04
50 80100
5080 10
MmLd NULL MmLd
B8
04
FF
00
B8
04
03 28 871B 05 5601 01 E4
03 28 841B 05 B0E4 E4 E4
03 28 841B 05 B018 18 E4
03 281B 05
E4--
-
-
Structure Signature
03 28 851B 05 78
12 E412
* ADFSL’14
“MmLd”“Driv”“sErv”
What do we still have in the memory?
Driver A
Header
Import Address table
Code section(executable)
Header
Import Address table
Code section(executable)
Driver B
Header
Import Address table
Code section(executable)
Hidden Driver C
How to find PE-files in the memory?
Driver as a PE-file includes:
PE-file features
CountermeasuresType of signature Examples
ASCII Strings‘MZ’ , ‘PE’ ,
‘This program cannot be run in DOS mode’ Data overwriting
ASCII Strings ‘ZwOpenFile’
Bytes combination(prologue &
epilogue)
8BFF MOV EDI,EDI55 PUSH EBP8BEC MOV EBP,ESP
8BE5 MOV ESP,EBP5D POP EBPC20400 RET 4
Code obfuscating & packing
Apply byte-to-byte scanning using features of PE-file to detect drivers
Header
Code section(executable)
Import Address table
What do we still have in the memory?
Driver A
Header
Import Address table
Code section(executable)
Header
Import Address table
Code section(executable)
Driver B
Header
Import Address table
Code section(executable)
Hidden Driver C
How to find code sections?
Using binary Entropy to separate data types
Definition: 𝑆=−∑𝑖=1
255
𝑝𝑖∗ log2𝑝𝑖
𝑝𝑖− h𝑡 𝑒 𝑓𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 𝑜𝑓 h𝑒𝑎𝑐 𝑏𝑦𝑡𝑒𝑣𝑎𝑙𝑢𝑒𝑖𝑛 h𝑡 𝑒 𝑓𝑖𝑙𝑒 .
Entropy
*Using Entropy Analysis to Find Encrypted and Packed Malware by R. Lyda & J. Hamrock
Plain text
Native exe
cutables
Packed exe
cutab
les
Encry
pted execu
tables
3
5
7
0
1
2
3
4
5
6
7
1 501 1001 1501 2001
Using sliding-window approach to locate executable code
Executable code with high entropy
Entr
opy
valu
es
Offsets
Window size is 256 byte
Overlap is 256 byte
E.g.
Overcome
entropy
analysis
Its vulnerability
An idea to overcome entropy analysis &
its vulnerabilityOriginal code
with high entropyInsert blocks to decrease entropy
blocks with zero entropy
Locate data blocks using byte histogram:
It is also susceptible!
97 97 97 97 97
31 31 31 31 31
67 67 67 67 67
Zeus
Tro
jan
All detection methods are vulnerable
Let’s consider the most difficult case for detection - HighStem
The ways to detect drivers Anti-forensic technique
Using drivers structures
Using links between structures Unlinking
Signature-based scanning Overwriting
Using content of drivers files
Signature-based scanning Overwriting & PE packing
Statistical-based detection Inserting data blocks
Highest Stealth Malware (HighStem) imitates the most difficult case for
detection1. Apply Atsiv or Turla Driver Loader to load a HighStem driver2. Collect data without OS function:
3. Improve Zeus manipulation:
kbdhid.sys → DEVICE_EXTENSION →KEYBOARD_ATTRIBUTES
or/and
Insert data blocks
with low entropy
A B C
AB
CSpread code
fragments...
Read keystrokes from the memory
Blockswith zero
entropy
How to reveal all parts of diluted executable?
• Calculate entropy using smaller window size
AB
C...
AB
C...
Apply digital photogrammetry to locate a code
HEADER
CODE
CODE
CODE
IMPO
RT
*Lower Manhattan, November of 2000 by AirPhotoUSA
Analyze the disassembly code
A
...C
B
A B C
push %ebp mov %esp,%ebp push %ecx sub $0x4,%esp movl $0x80484b0,(%esp) call 80482f4 mov $0x0,%eax
1
2
3
4
1
2
3
Apply Zipf-Mandelbrot
law
2
# of
occ
urre
nces
Zipf Law=const,
Zipf-Mandelbrot law
Word rank
*Zipf, Human behavior and the principle of least efforts Mandelbrot, An information theory of the statisticalstructure of languages
Zipf-Mandelbrot lawFrom linguistics to disassembly
listings
Graphics card - a powerful computing unit in a PC
PCI-e Bus
CPU & RAM:• 32 cores on CPU• 16 GB/s bus speed• 8-16 GB of RAM
~0,6 Teraflops
Graphics card:• 1536 cores on GPU• 130 GB/s bus speed• 4 GB of RAM
>1 Teraflops
Graphics card with itsown processors & memory
16 GB/s
16 GB/s
16 GB/s
*GeForce GTX 980M*Intel i7-6785R, launch date Q2'16
• We tested drivers detector from the paper ‘Applying memory forensics to rootkit detection’ ADFSL’2014, Richmond, VA
• GPU works efficiently on 128-byte size coalesced memory• GPU operates much slower on distinct memory fragments
Porting issues of common sliding-window algorithm to GPU
Sliding-window algorithm
(on DRIVER_OBJECT structure,
164 byte block)
Local data processing with coalesced memory accesses
Processing of data, which is located out the window block(e.g. dereferencing pointers)
Hybrid GPU & CPU architecture for common sliding-window algorithm
processingDecomposition task
Local block processing
GPU
Dump file
Out of the block
processing
CPU & RAM
Aggregation task
Shared memory with preliminary
results
Dump file43
1
2
0 200 400 600 8000
100
200
300
400
500
600
700
Speeding up memory forensics by CUDA-enabled GPU hardware
Dura
tion,
sec
Dump size, Mb
only CPU,Intel i7-4870HQ
GPU & CPUGeForce GTX 980M
Conclusions
• Prototype of the most hidden code – a HighStem
• Ideas to locate executable code
• Using CUDA to speed up memory dump analysis
#1: MemoryMon monitors memory changes to track programs activities
in real time•
Monitoring & controlling kernel-mode events by HyperPlatform by Satoshi Tanda @standa_t and Igor Korkin, REcon 2016.
• MemoryMon scenarios:
• Details:
Case 2
Suspicious Driver
?Write
Other Drivers
Case 1
Sensitive Data Unknown
driver
Driver A?Read
Read
Write
#2: Apply virtual reality headset for digital forensics investigations
by Oculus
by Samsung
http://www.pocket-lint.com/news/134352-vuzix-iwear-720-a-vr-headset-that-s-like-putting-a-130-inch-tv-in-front-of-your-face
‘It's like watching a 130-inch television screen from 10 feet away’*